Need assistance? Call 603-862-4242
This article is part three in our series on Five Ways You Help Keep the University Secure. This month, we discuss how to avoid email phishing attempts.
What is Phishing?
People often confuse phishing and spam, but these two types of unwanted emails are inherently different. While all are annoying, phishing is intrinsically malicious, while spam is harmless. Phishing is cybercrime, and the criminals who create phishing emails are trying to steal your identity, steal your money, or both.
Cybercriminals act as legitimate companies or organizations and use social engineering to trick message recipients into providing personal data by opening links to infected websites or launching malicious files on their computers. They design phishing emails to deceive people and may either try to trick you into entering your username and password into a fake login page or into downloading and installing malware onto your device. Some types of malware can capture personally identifiable information (PII) such as your social security number, credit card numbers, medical records, educational records, or a username/password combination (aka credentials)
Phishing takes many shapes. While most people think of it as email, criminals also send phishing messages sent via SMS, phone call, or voicemail. No matter the format or design, the goal is the same. Cybercriminals are trying to obtain critical pieces of information that will lead to identity and financial theft.
Why Does it Matter to UNH?
Phishing is one of the most critical cybersecurity threats facing the University. Simply opening an email or attachment, replying to an email, voicemail, or text, or clicking on a link in a phishing message creates a security risk to the University. Phishing endangers the University and creates the following potential security incidents:
UNH is a gold mine of personal data, and that’s why we are an attractive target. We are custodians of hundreds of thousands of records containing PII. Cybercriminals target UNH because a single piece of stolen PII can fetch thousands of dollars.
Who Falls for Phishing, anyways?
We all like to think we’re good at spotting malicious messages, but the numbers tell a different story.
How to Spot a Phish – Key Indicators
First and foremost, most phishing emails create a sense of urgency to get a quick response. These messages contain negative consequences (for example “Respond in 24 hours of your email will be shut off”) or positive incentives (i.e., “All employees who sign-in before the end of the day win a free lunch.”) Most phishing sites are only active for 48 hours. Hence, the criminal’s goal is to get you to respond immediately without thinking it through.
Secondly, most phishing emails also include two or more of the following features:
It is important to note that phishing emails can also come from internal email addresses. Sometimes a UNH employee student falls for a phishing attack. They provide their username and password to the cybercriminal who then uses those credentials to send phishing emails from a valid UNH email account. Their goal is to repeat the cycle and harvest additional credentials from UNH users.
What to do if you get a Phishing Email
If you receive an email you suspect is phishing:
If you fall for a phishing email, call the UNH IT Service Desk ASAP for assistance.
UNH Information Security Services created a UNH Information Security Training Course in Canvas to teach UNH students, faculty, and staff the best practices to help keep the University Secure, and also to test your knowledge. You can enroll in the course here: https://mycourses.unh.edu/courses/34479 and after completing the module, complete the Don’t Take the Bait Quiz at https://mycourses.unh.edu/courses/34479/quizzes/104630.
This article concludes part three of our series. Next month, we discuss how to handle data with care.